Badger DAO Exploit Abuses User Interface to Steal $10 Million in Cryptocurrency
Decentralized Finance protocol BadgerDAO have fallen victim to an exploit that saw attackers steal $10 million in various cryptocurrencies from the BadgerDAO yield vault protocol.
The Badger DAO decentralized finance protocol, which allows users to earn interest on their crypto holdings by lending them for a period of time, has fallen victim to an exploit that saw attackers steal $10 million in various crypto assets from the BadgerDAO yield vault protocol.
On the Badger.com site, users are able to claim a portion of the "Yield" produced by the yield vault protocol, which distributes and redistributes funds based on a number of factors including supply and demand. The Badger vaults require an initial investment of at least $10 worth of Ether in order to begin staking. Each day, users are able to stake their Badger holdings for more yield tokens based on how much they have staked.
The Badger team provided details of the exploit, and revealed that it had been patched before the attacker could withdraw more funds. "The bug only affected the withdrawal process of Yield-Vault; it did not affect any other part of the application," the team said. "An attacker was able to withdraw funds from the BadgerDAO by calling the 'withdraw' function of the Vault contract multiple times, thereby receiving tokens from many different vaults at once
The exploit has led to a loss of $10 million in various cryptocurrencies, including $3 million of ether (ETH), $5.5 million of DAI and $1 million in BNB tokens. Badger DAO has already deployed a hotfix to prevent further withdrawals and has begun the process of reimbursing users who lost funds during this time.
The United States Computer Emergency Readiness Team (US-CERT), the Department of Homeland Security's (DHS) cybersecurity arm, recently released an alert warning of a vulnerability in the Badger DAO protocol. The vulnerability is caused by the interaction of two specific smart contracts within the Badger DAO system. The vulnerability allows for an attacker to exploit the yield farming reward process and withdraw funds from any Badger DAO member wallet without that fund holder's permission.
The Badger DAO is a decentralized finance and governance protocol for Ethereum. Badger DAO provides a yield farming mechanism that enables users to claim passive income from their funds in the form of an ERC-20 token called BADG. The protocol also allows users to create and participate in decentralized autonomous organizations (DAOs).
The Badger team has confirmed that the exploit is in the badgerdao.com site, not the smart contract. We're very sorry for this, and we're working to fix it asap. We will update everyone as soon as we have more information.
The exploit was discovered in the early hours of Friday morning (UTC). The Badger.com website has been down since the incident and appears to still be offline at the time of writing.
In an effort to provide the most accurate information possible, we are delaying the publication of our Q2 financial report in order to obtain a complete view of all Q2 results. We will be updating this report as soon as possible.